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A Couple of Things 



This may be a little technical in parts 

There will be a demo!! 

If the demo doesn't work I will do some 

interpretive dance 

I really hope the demo works 

I may have to be fast .. I hope you can keep up 




Security Onion is a network security 
monitoring (NSM) system that providesf ull 
context and forensic visibility into the traffic 
it monitors 

Designed to make deploying complex open 
source tools simple via a single package 
(Snort, Suricata, Sguil, Snorby etc.) 



Contains a truckload of security tools 
Easy setup wizard ... even a Windows Admin 
can do this! 

Has the ability to pivot from one tool to the 
next to seamlessly .. one of the most effective 
collection of network security tools available 
in a single package 




Created by Doug Burks (cool dude .. Could be 

a vampire .. he doesn't sleep) 

Grew out of a SANS Gold Paper 

He really wanted to make Sguil & NSM 

"easier to deploy (mission accomplished!) 

He works for Mandiant 




"Network security monitoring is the collection, 
analysis, and escalation of indications and 
warnings to detect and respond to intrusions. ,l 



- Richard Bejtlich 




Get an alert (firewall, user etc.) 

Look for the alert in SIEM tool 

Try to correlate with other events in SIEM 

Oh yeah .. We haven't added that server to 

the SIEM yet -oopsies 

I think I can hear my Parents calling me - 1 

have to go now 




We can take an IDS alert 

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; 
content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;) 

| a SacOnlo... 3.30B 2012-04-15 01:4722 192.168.44.131 34379 1 92. 1 60.44. 1 29 1234 17 GPL SHELLCODE x86 NOOP 

And turn it into something useful! 
• Full traffic packet captures 

Ascii transcripts of traffic 

Ability to carve files (or malware) for later analysis 




• 



Run as a LiveCD 

Great way to test out 

Able to do the following installations 

Quick Setup 

Automatically configures most of the applications 
Uses Snort and Bro to monitor all network 

interfaces by default 
Also configures and enables Sguil, Squert and 

Snorby 

Advanced Setup 

More control over the setup of Security Onion 

Install either a Sguil server, Sguil sensor, or both 

Select either Snort or Suricata IDS engine 

Selecting an IDS ruleset, Emerging Threats, Snort VRT, or both 

Configure network interfaces monitored by the IDS Engine and Bro 



Security Onion Setup (AusCERTSecOnion) + X 

Would you like to use Quick Setup or Advanced Setup? 

Quick Setup is recommended for first-time users or standalone VMs: 

- ideal for quickly evaluating Security Onion 
-will automatically configure most details of your system 

- configures Snort and Bro to monitor one network interface 

Advanced Setup is recommended for production deployments: 

- gives you more control over the details of your system 

- allows you to build a distributed sensor network 
-you choose Sguil server, Sguil sensor, or both 

-you choose which IDS engineto use (Snort or Suricata) 

-you choose which IDSru!eset(s)to use {Emerging Threats, Snort VRT, or both) 

- you choose which network interfaces should be monitored by the IDS Engine and Bro 
-you choose how many processesto run for Snort/Suricata/Bro 



I ©Advanced Setup . I <J? Quick Setup j 



Pulled Pork keeps all the IDS rules up to date 

Updates rules from multiple sources 
(Sourcefire/Snort VRT, Emerging Threats etc.) 

Ability to disable rules with Pulled Pork (prevent 
certain events from triggering an alert) 

Fully automated! 




OF COURSE! 



£ jf 



' / / / / / / Options 

[ alert tap any any -> any 8o|(msQ"Web Traffic"; content:"GET;)| 
Header y y / 



Rules are written using the Snort format 

Rules can be added to a local rules configuration 
file to ensure they are never deleted or overwritten 
by the automated IDS rules updates 

Rules can be set to either alert or drop the traffic 
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ET TFTP Outbound TFTP Read Request 
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GPL TFTP GET ne.exe 
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GPL SHELLCODE x66 NOOP 
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Detail Lines: 10 ▼ Report Period: Friday May 17, 2013 



76 



Total Signatures 



28 



Total Sources 



Total Destinations 



9 



10 



Top Signatures 
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ET SCAN Nmap Scripting Engine User- Agent Detected (Nmap Scripting Engine) 


2Q0935B 


01:41:09 


1 


1 


16 


21.05% 


GPL NETBIOS SMB IPCS Unicode snare access 


210053B 


06:14:12 


1 


1 


13 


17.11% 


ET POLICY Dropbcw Client Broadcasting 


2012648 


06:15:12 


1 


1 
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9.21% 


GPL SHELLCODE x86 inc ebx NOOP 


2101390 


01:54:43 3 


3 


4 


5.26% 


GPL NETBIOS SMB-DS IPCS share access 


2102465 


01:41:09 
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1 
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3.95% 


ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt 


2012925 


01:54:43 


1 


1 


2 


2.63% 


PADS New Asset- sslOpenSSL 


1 


01:53:23 
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2 


2 


2,63% 


ET POLICY Suspicious inbound to Oracle SQL port 1521 
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01:40:52 
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2.63% 


GPL SHELLCODE x66 NOOP 
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01:59:31 
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1 
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2.63% 


ET SHELLCODE Possible Call with No Offset TCP Shellcode 


2012088 


01:54:43 


1 


1 
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2.63% 












Viewing: 


10 of 26 signatures 





ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) (16) 
GPL NETBIOS S MB [ PCS Unicode share access ( 13) 
ET PO L ICY Dnopbcx CI ient Broadcasting (7) 
GPL SHELLCODE xfiG inc etax NOOP(4) 

GPL NETBIQ5 5MB-D5 [PCt share access (3) 

[ETSCAN Nmap Scripting Engine User-Agenl Detected (Nmap Scripting Engine) ] 

El IMF IMMMM 1 h t V KMfl Kj&qUW t \lj 1 ' 

PADS New Asset- ssl OpenSSL (2) 
GPL SHELLCODE *B6 NOOP (2) 
ET 5HELLCODE Javascript Split String Unicode Heap Spray Attempt (2) 





Over 60 custom tools st^OSSEC 

Snort -Signature based IDS 

Sguil - Security analyst console 

Squert - View HIDS/NIDS alerts and HTTP logs ? 

Snorby - View and annotate IDS alerts JVCYTYVYTI 

ELSA - Search logs (IDS, Bro and syslog) *^-/*JJJ 

Bro - Powerful network analysis framework with highly 

detailed logs 

OSSEC - Monitors local logs, file integrity & rootkits 




If you want to find out more come see me at the 
Sophos stand - #58 



SOPHOS 



I'll also make this presentation available on the 
internet for you to share with your colleagues 



Project Home - http://code.gooale.eom/p/securitv-onion/ 

Blog - http://securitvonion.bloqspot.com 

Mailing Lists - http://code.google.com/p/security- 
onion/wiki/MailinqLists 

Google Group - 

https://groups.google.eom/forum/7fromgroups#lforum/security-onion 

Wiki - http://code.google.eom/p/security-onion/w/list 




